Terms such as cyber threats, vulnerabilities, and risks are often used interchangeably and confused. This post aims to define each term, highlight how they differ, and show how they are related to one another.
Cyber threats, or simply threats, refer to cybersecurity circumstances or events with the potential to cause harm by way of their outcome. A few examples of common threats include a social-engineering or phishing attack that leads to an attacker installing a trojan and stealing private information from your applications, political activists DDoS-ing your website, an administrator accidentally leaving data unprotected on a production system causing a data breach, or a storm flooding your ISP’s data center.
Cybersecurity threats are actualized by threat actors. Threat actors usually refer to persons or entities who may potentially initiate a threat. While natural disasters, as well as other environmental and political events, do constitute threats, they are not generally regarded as being threat actors (this does not mean that such threats should be disregarded or given less importance). Examples of common threat actors include financially motivated criminals (cybercriminals), politically motivated activists (hacktivists), competitors, careless employees, disgruntled employees, and nation-state attackers.
Cyber threats can also become more dangerous if threat actors leverage one or more vulnerabilities to gain access to a system, often including the operating system.
Vulnerabilities simply refer to weaknesses in a system. They make threat outcomes possible and potentially even more dangerous. A system could be exploited through a single vulnerability, for example, a single SQL Injection attack could give an attacker full control over sensitive data. An attacker could also chain several exploits together, taking advantage of more than one vulnerability to gain more control.
Risks are usually confused with threats. However, there is a subtle difference between the two. A cybersecurity risk refers to a combination of a threat probability and loss/impact (usually in the monetary terms but quantifying a breach is extremely difficult). Essentially, this translates to the following:
risk = threat probability * potential loss
Therefore, a risk is a scenario that should be avoided combined with the likely losses to result from that scenario. The following is a hypothetical example of how risks can be constructed:
- SQL Injection is a vulnerability
- Sensitive data theft is one of the biggest threats that SQL Injection enables
- Financially motivated attackers are one of the threat actors
- The impact of sensitive data getting stolen will bear a significant financial cost (financial and reputation loss) to the business
- The probability of such an attack is high, given that SQL Injection is an easy-access, widely exploited vulnerability and the site is externally facing
Therefore, the SQL Injection vulnerability in this scenario should be treated as a high-risk vulnerability.
The difference between a vulnerability and a cyber threat and the difference between a vulnerability and a risk are usually easily understood. However, the difference between a threat and a risk may be more nuanced. Understanding this difference in terminology allows for clearer communication between security teams and other parties and a better understanding of how threats influence risks. This, in turn, may help prevent and mitigate security breaches. A good understanding is also needed for effective risk assessment and risk management, for designing efficient security solutions based on threat intelligence, as well as for building an effective security policy and a cybersecurity strategy.